The Bluetooth-enabled doll My Friend Cayla and other connected devices that are part of the Internet of Things can threaten privacy if they are hacked, experts say. Privacy advocates, who warn that it is becoming more difficult to protect privacy, call for more regulation. (Cover: AFP/Getty Images/Leon Neal)

Nearly 2 billion consumer records were stolen or accidentally exposed in the United States last year, including personal data on nearly half the U.S. population held by the Equifax credit agency. The data breaches raise questions about whether consumers’ information can be protected. Privacy advocates want lawmakers to adopt rules similar to those in Europe, which require consumer consent before companies can use or share data. Congress is considering bills that would penalize companies that conceal breaches and would educate consumers on how to better safeguard their data. But little action is expected because of disagreements over how much regulation is needed. Many Republicans warn that excessive regulation could harm online commerce, while most Democrats want greater business accountability. Technological developments make it more difficult to protect online privacy, while the rapid expansion of the Internet of Things — in which consumer devices are connected to the internet and sometimes each other — makes hacking easier and could lead to the surveillance of unwitting consumers.

Just before Christmas last year, Tara Nicolson received a call from a credit card company, which said it had received an application for a card in her name.

After long hours on the phone, she discovered that someone was using her personal information to try to set up accounts with 17 different companies. “I didn't know where to turn,” says Nicolson, of Lawrenceville, N.J. “It just felt very overwhelming.”

The fraudulent credit card applications in Nicolson's name occurred only months after a massive data breach at the Equifax credit-reporting firm. While she suspects the Equifax breach, in which the records of 145 million Americans were stolen, is to blame for her experience, it is impossible to know for sure whether that breach was where the thieves got her data. “We're just so vulnerable,” Nicolson says.

Nicolson's trials are part of a growing struggle over online privacy and data security. More and more companies are collecting consumer data and sharing it with third parties. As the volume of online personal information has grown, so have massive data breaches — 2017 saw a record number in the United States. Although the hacking threat is escalating, Congress has yet to act, partly because of divisions over how much regulation to impose on the internet without hurting online commerce and stifling innovation.1

The Identity Theft Resource Center, a victims’ advocacy group in San Diego, tracked 1,579 breaches last year, up 44.7 percent over the previous year's record total of 1,091.2 And, according to the Electronic Privacy Information Center (EPIC), an independent research group focused on privacy issues, 73 percent of all U.S. businesses have now been breached.3

Tara Nicolson of Lawrenceville, N.J., discovered last year that hackers had stolen her personal information and tried to open more than a dozen credit card accounts, just months after a massive data breach at the Equifax credit bureau. Although threats to privacy are escalating, Congress has yet to act, partly because of concern that too much regulation might hurt online commerce and stifle innovation. (Courtesy Tara Nicolson)

Five of the most significant breaches in recent years involved a variety of U.S. companies:

The Equifax breach lasted from mid-May until July and resulted in hackers stealing the names, Social Security numbers, birth dates and addresses of almost half the U.S. population. The company did not reveal the breach until September.4

Yahoo disclosed last year that all of its 3 billion accounts, including its email, Yahoo Fantasy Sports, the Tumblr blogging and social-networking site and the Flickr photo-sharing site, were breached in 2013; hackers made off with email addresses and passwords.5

At Uber, a 2016 hack that affected 57 million accounts worldwide was concealed for about a year, and the ride-sharing company paid the hackers a ransom of $100,000 to delete the driver's license numbers and email addresses they had stolen.6

A 2013 breach of credit- and debit-card records of 110 million Target customers prompted the retailer's CEO to resign.7

A 2014 cyberattack at eBay exposed the names, addresses, birthdays and passwords of all 145 million of its users.8

Hackers have a variety of tools at their disposal, according to experts. “Phishing” and “keylogging” are two of the most popular. With phishing, someone poses as a trusted company or person — either online or on the phone — to lure the user into giving up personal information. Keylogging involves the use of software to record what the targeted consumer types on a keyboard, including passwords.9

Although the massive breaches and the unwillingness of some companies to report them quickly have triggered worry among businesses, regulators and lawmakers, the federal government has taken little action and, in fact, has loosened Obama-era privacy restrictions.

The Federal Communications Commission (FCC) in October 2016 approved rules to limit how internet service providers (ISPs) could use and sell customer data in what many called an important step toward giving consumers the right to control their own information. The rules would have given consumers the right to bar providers from sharing location data, browsing history or data about app usage.

The largest data breach thus far this century involved all 3 billion accounts held by Yahoo, affecting hundreds of millions of users of Yahoo email, Yahoo Fantasy Sports, the Tumblr blogging and social-networking site and the Flickr photo-sharing site. While the Yahoo hackers stole email addresses and passwords, last year's breach of the Equifax credit-reporting agency involved the theft of far more consequential data: private financial information and Social Security numbers of 145.5 million Americans.

But in March Congress passed, and in April President Trump signed, a bill that killed those rules. Tech firms such as Google and Facebook had joined the ISPs in pressing for the rules to be overturned, arguing that they were too restrictive.10

In December, the FCC overturned net neutrality, instituted in 2015 to bar ISPs from throttling or otherwise prioritizing access to the internet and defining ISPs as utilities, and thus under FCC purview. Republicans argued that the Federal Trade Commission (FTC), and not the FCC, was the appropriate regulator of ISPs and the December FCC ruling restored the FTC to that role.11

A bill introduced in January by Democratic Sens. Elizabeth Warren of Massachusetts and Mark Warner of Virginia would create an office of cybersecurity within the FTC to give it direct authority over credit agencies. The Data Breach Prevention and Compensation Act would impose mandatory penalties for breaches and require compensation to consumers.12

Other proposed bills include mandating penalties for companies that fail to report a breach in a timely manner and requiring opt-in consent by consumers before broadband cable companies and ISPs could share personal data. But lawmakers from both parties agree that passage of such regulations is unlikely this year, given the president's and the GOP majority's opposition to additional business regulations.

While Congress has yet to act, the 28-member European Union (EU) has adopted far-reaching privacy regulations that go into effect in May that will apply to any U.S. corporations doing business with EU citizens. The General Data Protection Regulation will require simple, easy-to-understand consent language for consumers, who will need to “opt in” before companies can use their data.13

Experts say the sheer volume of data and the speed of its growth increase the urgency for action in the United States. IBM estimates 90 percent of all data in 2017 had been created in the past two years. That is 2.5 quintillion bytes of data every day.14

In the absence of government action, some U.S. companies are seeking solutions. Google's parent company, Alphabet, is launching a cybersecurity-focused business to help companies protect themselves against hackers. The new firm, Chronicle, is “dedicated to helping companies find and stop cyberattacks before they cause harm,” said CEO Stephen Gillett. Talent shortages and tight budgets prevent businesses from maintaining top-notch data security, he said.15

But consumers also are freely giving up their personal data in exchange for the convenience of using the Web. “People are really selling their information cheaply,” says consumer credit adviser Liz Weston, a columnist at NerdWallet, a personal finance website. “I'm not sure all of them understand that when you're getting something for ‘free’ that you're giving something up.”

Cybersecurity expert Bruce Schneier agrees. “Data is collected, compiled, analyzed and used to try to sell us stuff,” he said. “Personalized advertising is how these companies make money and is why so much of the internet is free to users. We're the product, not the customer.”16

The development of algorithms to analyze personal information that is then used to determine mortgage approvals, college admissions and other life-changing decisions raises concerns as well. The Future of Privacy Forum, a Washington think tank that studies data privacy, said potential harms include discrimination in employment, benefits, housing and education.17

In the United States, banks and financial institutions are free to share consumer data with their affiliates. While they must tell consumers they are sharing their information, the consumer has no right to stop them from sharing with their affiliates. But if the institutions wish to share the data with third parties, consumers have a right to opt out. Few have chosen to do so, but many say the policies are difficult to understand and sometimes misleading.18

The Supreme Court will provide guidance on digital privacy issues this year. In Carpenter v. United States, the court will decide whether cellphone data held by a third party, the carrier, is protected by Fourth Amendment privacy rights against warrantless searches by government agencies.

Meanwhile, most experts agree the United States needs a new identification system to replace the Social Security card number. Some argue its use should be prohibited in the private sector to lessen the chances of identity theft. Technological advances — ranging from encryption to biometrics and facial recognition — could also be part of a more secure system.

The increasingly popular Internet of Things, which connects such things as refrigerators and toys to the internet and sometimes enables them to communicate with each other, will likely top 11 billion devices in 2018. But it continues to raise privacy questions because some devices may also be recording users’ words and behaviors.19

The number of interconnected devices — known as the Internet of Things (IoT) — is projected to nearly quintuple worldwide between 2015 and 2025. The IoT connects TVs, fitness bands, appliances and other items to the Web and sometimes to each other. Note that figures for 2017 to 2025 are projections.

“These products raise significant consumer privacy concerns,” says Marc Rotenberg, president of the Electronic Privacy Information Center. For instance, he says, the Google Home Mini virtual assistant “was manufactured in the ‘always on’ position,” which means it was recording conversations without being prompted. The device, which according to Google has sold at a rate of one per second since its release on Oct. 19, 2017, has been updated to address the glitch, but Rotenberg has called for an investigation of such devices that are “always-on.”20

Industry experts agree data security is the biggest challenge in cloud computing, where information is stored on a remote, instead of a local, server. “The responsibility for protecting … information from hackers and internal data breaches then falls into the hands of the hosting company rather than the individual user,” said the Privacy Rights Clearinghouse, a consumer advocacy group. “Privacy and security can only be as good as its weakest link.”21

Technology known as de-identification holds promise because it would allow companies to remove key identifiers linking individual records to consumer data, says John Verdi, vice president of policy for the Future of Privacy Forum think tank. “De-ID is increasingly important … as technologies evolve,” he says.

As privacy experts, consumer advocates, lawmakers and others debate how to protect online data, here are some of the questions they are asking:

Should consumer consent be required before data can be shared?

The use of consumers' information without their explicit consent is one of the most controversial practices in the data privacy debate.

When the California software company Alteryx left an unsecured database online late last year, it contained millions of records about U.S. households, including addresses, finances, car and home ownership and even data about children. Much of the information reportedly had originated with Experian, one of the big three credit bureaus in the United States, which had collected the data and sold it.22

Experian was not required to get consent from those consumers before sharing their data with Alteryx. While Experian stressed that the information did not include any personally identifiable information, the researcher who discovered the unsecure database said the data would be a “gold mine” for unscrupulous marketers or identity thieves.

The United States, unlike the European Union, gives consumers limited privacy protection. Under the new EU regulations, companies will need to keep track of how and when citizens give consent to use their data. The penalty for breaking the rule is steep — up to 4 percent of a company's annual global revenues.23

The United States has no similar federal regulation. The new rules created by the FCC in 2016 that were overturned by the current Congress would have forced ISPs to give consumers the opportunity to “opt in” before collecting personal information such as financial information, children's information and location data. The rules also would have forced ISPs to let customers decide whether service providers could share additional information, including browsing and app usage data, with advertisers and third parties.24

ISPs, such as Verizon, which lobbied to get the rule repealed, want to expand their digital advertising opportunities, and the browsing history data is key to doing that.

Last fall, Rep. Marsha Blackburn, R-Tenn., introduced the BROWSER Act (Balancing the Rights of Web Surfers Equally and Responsibly) that would prohibit either ISPs or content providers (such as Google or Facebook) from selling data without opt-in consent.

The Internet Association, which represents Facebook, Google, Twitter and other big internet companies, opposes the bill, saying it could “upend the consumer experience online and stifle innovation.” It also argues the bill is unnecessary because websites and apps must comply with “strict FTC privacy enforcement [rules].”25

But some in business want Congress to take the lead rather than the regulatory agencies. “Regulators under four different presidents have taken four different approaches,” said AT&T Chairman and CEO Randall Stephenson on Jan. 24. “Courts have overturned regulatory decisions. Regulators have reversed their predecessors.”

“Congressional action is needed to establish an ‘Internet Bill of Rights' that applies to all internet companies and guarantees neutrality, transparency, openness, non-discrimination and privacy protection,” he said. “It would provide consistent rules of the road for all internet companies across all websites, content, devices and applications.”26

Others argue that AT&T's proposal is a way to eliminate the regulatory distinctions between ISPs and content providers. They also say a common set of regulations for ISPs and content providers would be akin to regulating farms and grocery stores in the same way.27

Technology security expert Schneier said lawmakers must act. “Congress needs to give the Federal Trade Commission the authority to set minimum security standards for data brokers and to give consumers more control over their personal information,” he said. “This is essential as long as consumers are these companies' products and not their customers.”28

Most consumers automatically click “I agree” to terms-of-service agreements online, choosing functionality over privacy and sometimes unknowingly giving up their personal data for use in behavioral targeting.

“I have never met anyone who has read those terms of service,” says Priscilla Regan, a professor in the Department of Public and International Affairs at George Mason University and author of Legislating Privacy: Technology, Social Values, and Public Policy. “When we go online to do something, we … are focused on [the transaction],” she says. “We don't always operate in a way that protects our privacy.”

Most consumers are unaware they are exchanging their private data for the use of online services or functionality, Regan says. “We go online and do something and we think we're doing it for free,” she says. “But it's not free. We've become the commodity. Our behavior is of interest to the companies so they can target us better.”

Behavioral targeting, which tailors online ads to individuals' preferences, has been found to be effective for both marketers and consumers. In a marketing analytics study, 71 percent of respondents preferred ads tailored to their interests and shopping habits, and users were twice as likely to click on unknown brands if the ads were tailored to them.29

But when a company loses personal data, regardless of whether it's from a newsletter sign-up or from a credit bureau, who is liable?

A computer monitor at a House Financial Services Committee hearing on Oct. 25, 2017, tallies the damage from last year's Equifax data breach. Hackers stole the names, Social Security numbers, birth dates and addresses of nearly half the U.S. population, but the company did not reveal the breach until more than three months later. (Getty Images/Bloomberg/Andrew Harrer)

The responsibility for privacy does not rest solely on consumers' shoulders, some argue. “Strong consent is beside the point,” says Rotenberg of EPIC. If a “company chooses to collect your personal data, they take on the responsibilities” of ensuring that it is secure.

In congressional testimony last November, Schneier argued that protecting consumer data is more important than just protecting the rights of the individual. It is also vital for national security. “In a world where foreign governments use cyber capabilities to attack U.S. assets, requiring data brokers to limit collection of personal data, securely store the data they collect, and delete data about consumers when it is no longer needed is a matter of national security,” he said.30

And as biometrics such as facial recognition become more commonplace, consent becomes more nebulous. “When there's a billboard that watches who's walking by it and shows ads related as to who you are [by facial recognition] there's no way of doing consent,” he says.

“Choice is supposed to be given expression by explicit consent,” says Jim Harper, executive vice president of the Competitive Enterprise Institute, a libertarian think tank in Washington. “But try implementing that…. It would fail.”

Should the Social Security card be replaced as a primary means of identification?

Social Security numbers (SSN) were never intended to be used as a national identifier. When the first card was issued in 1936, the number was designed simply to keep track of the earnings of U.S. workers for benefits and entitlement programs.

Today, it is the most commonly used identifier in the country.

“SSN is a completely archaic identifier,” says Tim Edgar, a privacy lawyer and former White House cybersecurity adviser. Edgar is a senior fellow at Brown University who helped put together its Executive Master in Cybersecurity program.

“It's incredibly insecure,” he says. “It's perfectly fine as a number, but it provides no security whatsoever.”

The Trump administration is seeking ways to replace the Social Security card system. One possibility is two-factor authentication involving public and private “keys.” When people want to access their account, they would use their public key and would then be sent a message that could only be decrypted with the private key.32

Some experts see Estonia's national cryptographic identifier system as a promising model. Every citizen receives a smartcard that securely identifies the user for services and transactions — all online. Its public key infrastructure and auditing system undergoes constant upgrades to keep pace with technology. If a breach occurs no private information is exposed because data backups are stored at “data embassies” around the world.33

Congress last fall took a small step toward reducing the SSN's exposure to potential fraud by passing the Social Security Number Fraud Prevention Act. It prohibits federal agencies from listing Social Security numbers on any mailed documents except in special circumstances.34

Most experts agree the number works perfectly well as an identifier but not as an “authenticator.” No secure system would use the same number as both your log-in and password, said Alessandro Acquisti, an information technology professor and privacy expert at Carnegie Mellon University in Pittsburgh. Yet that is how the Social Security number is used.35

Some university databases, for instance, rely on the number to identify students. And credit card companies use it as an authenticator.

“Your email address is a form of identification,” said Acquisti. “You can share it publicly, so that people can contact you via that address. The password you use to access your email, instead, is a form of authentication: It should stay secret, because you want to be the only one who can access your emails.”36

Sixty-six to 70 percent of Americans in 2016 were confident their cellphone, credit card and email providers were protecting their personal data, but fewer than half of those surveyed had the same confidence in the federal government or social media companies. Note that refusals and “does not apply” responses are not shown.

Businesses bear some of the blame for the security problems surrounding the SSN, said Steven M. Bellovin, a professor of computer science at Columbia University in New York City, who focuses on security and privacy questions. The problem is not with the number, he said, but with businesses that use it without instituting additional security standards, Bellovin said.37

“Make credit providers liable for the full damages, including ongoing inconvenience, suffered by victims of identity theft,” he wrote. “SSNs are not the problem; authentication commensurate with the risk to all parties, including especially individuals, is.”38

Testifying before the Senate Banking Committee late last year, EPIC's Rotenberg said Congress should ban private sector use of the number unless a company has explicit legal authority to use it.39

The ability to prove one's identity is the crux of the matter, says technology security expert Schneier. “The real problem is we need to authenticate ourselves again and again, and we don't have a secure way to do it.”

Some experts have proposed biometric solutions. But Rotenberg says a national biometric identifier “raises serious privacy and security risks.” While passwords can be completely private, known only to the user, biometrics are inherently public.

“I do know what your ear looks like, if I meet you, and I can take a high-resolution photo of it from afar,” said Alvaro Bedoya, a professor of law at Georgetown University in Washington, D.C. “I know what your fingerprint looks like if we have a drink and you leave your fingerprints on the … glass.” That makes biometrics easily hackable and trackable.40

The solution may lie in using more than only one number or one imprint for authentication. “This needs to be a little bit painful,” says Eva Casey Velasquez, president and CEO of the Identity Theft Resource Center. She says biometrics should be just one piece of a secure authentication system.

“Things like how I hold my phone … not just your passcode, but the pressure that is applied. That data can be captured and analyzed. That doesn't feel deeply private to me, but it can serve as an initial authenticator.”

Other countries have adopted biometrics as part of their authentication systems. Australia's tax office, for instance, uses voice-based biometrics to authenticate identities. Other countries are using biometrics to secure their data together with other techniques, such as blockchain software. Blockchain is essentially a shared digital ledger that exists across a network of computers with no central authority so no single party can tamper with the records, and there is no single point of failure. Estonia and Dubai are in the process of moving all of their medical records to a blockchain system.41

India has an identity biometrics program that has digital information on more than 1 billion people in its database. Its 12-digit Aadhaar number links to a central database housing biometrics, including an iris and fingerprint scan, a photo and demographic information. Citizens will need the number to open a bank account or to get basic services.42

Paul Romer, a former chief economist at the World Bank, has called it “the most sophisticated system” he has seen.43

Harper of the Competitive Enterprise Institute says another option may be creating “self-sovereign” identities in which “I become the warehouse of data about myself.”

“That might really change up the game,” he says. “Rather than proving my existence by referring to a government card or government number,” each person would create identities for different things. “One for online, one for political participation, one for real-world social purposes.”

Should police be allowed to use cellphone data gathered without a warrant?

Few dispute that laws, and the court decisions based on them, have failed to keep up with the speed of technological change and unforeseen threats to privacy. Laws written before the Web's inception reflect a time when one's privacy was defined within solid walls, not virtual ones, and a “reasonable expectation of privacy” largely existed only within those tactile structures.

The Supreme Court will hear a case this fall, Carpenter v. United States, that legal experts say can clarify the rules on government surveillance and privacy.

Timothy Carpenter was found guilty of involvement in six Michigan robberies after cellphone records placed him near four of the crime scenes. He is currently serving a 116-year prison sentence.44

The Fourth Amendment protects the right of citizens to be secure in their “persons, houses, papers and effects against unreasonable searches and seizures” by government agents or entities and requires authorities to show “probable cause” before a search warrant is granted. Despite the amendment's prohibition against warrantless searches, government entities have been obtaining such records without a warrant for years. Verizon Communications said it received more than 20,000 requests from the government for data on cellphone locations during the first half of last year. Only a quarter of those were submitted with a warrant.45

Lower courts have upheld the practice largely based on the so-called third-party doctrine, which states that such records can be obtained without a warrant if the individual gave the information voluntarily to a third party. In the Carpenter case, the government is arguing that Carpenter gave MetroPCS and Sprint, as the cellphone carriers, his cellphone's location information, which authorities wanted to search.

Rulings from the 1970s reinforced the third-party doctrine, when courts held that individuals had no “legitimate expectation of privacy” from warrantless searches if they gave their data to a third party. But much has changed since then, privacy advocates say, and today third parties hold massive amounts of information from individuals. Supreme Court Justice Sonia Sotomayor signaled her unease with the doctrine in a recent opinion, saying it is “ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”46

The Carpenter case is “the occasion for the Supreme Court to bring the Fourth Amendment into the 21st century,” says Erwin Chemerinsky, dean of Berkeley Law. “Getting rid of third-party doctrine is crucial.”

A new Visa credit card that can be authenticated through biometrics is displayed at the National Retail Federation's Big Show on Jan. 16, 2018, in New York City. Some experts say biometrics and other technology could make data more secure and better prevent identity theft, but others say the technology presents serious privacy and security concerns. (Getty Images/Visa/Dave Kotinsky)

Arguing against warrantless searches, the Electronic Privacy Information Center is urging the Supreme Court to extend constitutional protection to cellphone data. It has asked the court to reverse a decision in a 1970s case, Smith v. Maryland, which has been the basis for allowing authorities to collect calling data. That case is from an era “when rotary phones sat on desk tops,” EPIC said.47

EPIC and 36 technical experts and legal scholars filed an amicus brief in the Carpenter case recommending that the high court extend Fourth Amendment protection to cellphone data.48

“The vast majority of Americans carry cellphones with them in their everyday lives, and the question posed by this case is whether the traditional protections of the Fourth Amendment — including requiring a warrant — will apply to prevent the pervasive location-tracking of any one of us,” said American Civil Liberties Union (ACLU) attorney Nathan Freed Wessler, who is representing Carpenter.49

But Justice Department attorneys counter that “the government has a compelling interest in obtaining cell-site records to identify suspects, clear the innocent, and obtain information in the preliminary investigation of criminal conduct.”50

In its brief in the Carpenter case, the department pointed to the U.S. Court of Appeals' conclusion that there is a distinction between the content of personal communications, which is private, and the information needed to get those communications from one place to another, which is not. “Historical cell-site records ‘fall on the unprotected side of this line,’ the appeals court said, ‘because they contain routing information’ and ‘say nothing about the content of any calls.’”51

A cellphone user, as a result, has no reasonable expectation of privacy, the Justice Department argued. “Just as a person who dials a number into a phone ‘voluntarily convey[s] numerical information to its equipment in the ordinary course of business,’ … a cellphone user must reveal his general location to a cell tower in order for the cellular service provider to connect a call,” attorneys wrote.52

The speed of innovation in the digital space has made it “very hard for the Supreme Court, with the Fourth Amendment, to keep up,” says Chemerinsky.

“My sense is that the Supreme Court needs to take a lot more of these cases, and needs to lay out some broad principles,” says Edgar, the former White House cybersecurity adviser. “If these decisions are decided very narrowly and things just continue … then we will be deciding not to decide, and that is in itself a decision.”

Home as Castle

The roots of privacy in the United States date to the 17th and 18th centuries, when colonists inherited a strong belief from their English forebears that their homes were sacrosanct and could not be illegally searched; nor did they want troops quartered in their houses without their permission.

As democratic norms spread in the colonial period and the newly independent nation drew up a constitution in 1787, the notion of privacy came to encompass the protection of liberty from governmental authority.

In a landmark 1890 Harvard Law Review article, 34-year-old lawyer Louis Brandeis of Boston, who would become a Supreme Court justice in 1916, and a co-author argued that the United States needed to formally recognize a right to privacy. Spurring his call was the growing use of photography and the expansion of a muckraking press that was aggressively investigating the excesses of the age.

“Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual … the right ‘to be let alone,’” they wrote. “Numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’”53

The Constitution's framers had sought to protect Americans in their “beliefs, their thoughts, their emotions and their sensations,” Brandeis and Samuel D. Warren wrote.

They proposed that invasions of privacy be classified as a tort — a wrong for which someone can sue in court and obtain economic damages.

In 1928, the growing popularity of two new technologies — the telephone and wiretapping — led Brandeis to argue in a dissenting opinion in Olmstead v. United States for a constitutional right to privacy. Brandeis became the first Supreme Court justice to recognize such a right under the Fourth Amendment's prohibition against “unreasonable searches and seizures” by the government and to recognize the threat that technology posed to citizens.54

Meanwhile in Europe, to help with its planning, the Dutch government in the 1930s compiled a comprehensive registry of its population that contained the names, addresses and religions of its citizens. But when Nazi Germany invaded the Netherlands in 1940, the Nazis used the registry to track down Jews and Gypsies.55

In 1948, the United Nations passed the Universal Declaration of Human Rights, proclaiming that privacy is a fundamental human right. And in 1950, the Council of Europe, a human rights organization, adopted the European Convention on Human Rights, including the right to “private and family life.” The European Court of Human Rights — which adjudicates allegations of human rights violations — has interpreted that right to include the protection of personal data. The convention requires the council's 47 member states to ensure their national laws adhere to its principles.56

In the United States, privacy rights did not begin to gain momentum until the 1960s. In 1965 and '73, the Supreme Court cited an individual's right to privacy in landmark decisions establishing the right to use contraception (Griswold v. Connecticut) and to have an abortion (Roe v. Wade). In 2003 in Lawrence v. Texas, the court recognized the right to privacy in homosexual relations.57

The U.S. Constitution does not explicitly mention privacy, but Justice William O. Douglas, writing for the majority in Griswold, called privacy a “penumbral right,” meaning it was implicit in the Bill of Rights. For example, he wrote, the Fourth Amendment and its prohibition against “unreasonable searches and seizures” created a zone of privacy in the bedroom.

“Would we allow the police to search the sacred precincts of marital bedrooms for telltale signs of the use of contraceptives?” he asked.58

In the 1970s Congress also began to address the issue. In 1970, it passed the Fair Credit Reporting Act, which regulated information included in credit reports. It stipulated that after seven years — and 10 years for bankruptcy — information about debt collections, civil lawsuits, tax liens and arrests for criminal offenses must be removed from such reports.59

Congress also approved the 1974 Privacy Act prohibiting federal agencies from disclosing personal information about an individual without the person's consent, except for purposes such as law enforcement, census statistics and congressional investigations.60

And in 1978, Congress passed the Foreign Intelligence Surveillance Act (FISA), creating a separate court to oversee requests for surveillance and covert searches, with looser rules for obtaining permission to conduct such surveillance.

Internet Age

The internet — a network that allows computers to communicate with each other — can be traced to the 1960s when the RAND Corp., a think tank in California focused on military issues, devised a communications network that could survive a nuclear war. With funding from the Defense Department's Advanced Research Projects Agency (DARPA), the fledgling network grew from seven university computers in 1969 to several thousand by the early 1970s.61

As computers became smaller, cheaper and more powerful, the internet exploded in popularity after Tim Berners-Lee, a British scientist at CERN, a scientific research center in Switzerland, invented the World Wide Web in 1989 — allowing the interconnection of documents and photos with hypertext links. The software was offered for free along with a browser and code library, ensuring the software's rapid, widespread adoption.62

The internet's dramatic growth presented a new set of challenges for Congress. The Electronics Communication Privacy Act (ECPA), passed in 1986, set standards for how the government could access digital information. It required that authorities get a warrant before digital communications could be intercepted or read, but only on public servers and only for 180 days, after which only a subpoena was necessary.63

But technology has outpaced the ECPA, which was written before the existence of search engines, Facebook, smartphones and other technologies. “The outdated Electronic Communications Privacy Act,” the ACLU said, “allows the government to intercept and access a treasure trove of information about who you are, where you go, and what you do, which is being collected by cellphone providers, search engines, social networking sites, and other websites every day.”64

Spurred by the 9/11 terrorist attacks, Congress in late 2001 passed the Patriot Act, expanding authorities' ability to conduct warrantless searches and access information about Americans' online and offline communications. The act was updated with the 2015 Freedom Act, which extended the Patriot Act through 2019 but eliminated the bulk collection of Americans' phone records.

The Patriot Act includes a “roving” wiretap provision that allows the FBI to eavesdrop on suspects who use and dump cellphones. The government's ability to collect business records in investigations continues but is limited in scope.

Net Neutrality

The internet's growth in size and sophistication spawned a new debate: How much control should internet service providers have over how consumers experience the internet and how their data is handled? An ISP is basically the pipe that delivers the internet to a business or a home, as well as a person's phone or computer.

The Telecommunications Act of 1996 was the first major overhaul of telecommunications law in almost 62 years, according to the FCC website. The goal was to allow any communications business to compete in any market, including telephone services, cable and broadcast.65

But a few years later, Democrats warned of potentially monopolistic behavior among ISPs, which led to the idea of “net neutrality,” where providers would be required to treat all internet traffic equally and not charge for faster speeds. “Net neutrality is an important concept on which the internet has been built upon,” said Google CEO Sundar Pichai, at the World Economic Summit on Jan. 24. Moving away from it “can actually favor big companies,” he said.66

Republicans argued that no regulation was needed, and that internet businesses should evolve freely as the market saw fit. “President Clinton got it right in 1996 when he established a free market-based approach to this new thing called the Internet, and the Internet economy we have is a result of his light-touch regulatory vision,” said FCC Chairman Ajit Pai, who was nominated by President Trump. “We saw companies like Facebook and Amazon and Google become global powerhouses precisely because we had light-touch rules that apply to this Internet.”67

During the Obama administration, and after years of heated debate, the FCC — which then had a Democratic majority — approved the 2015 Open Internet Order prohibiting ISPs from attempting to block, throttle or prioritize website speeds. It defined the Web as a utility — something everyone needs, similar to running water or electricity. “Like the air that we breathe [the internet] belongs to the people,” says Rep. Hank Johnson, D-Ga. “Therefore, the people's interest must be protected.”

Opponents said the FCC gained too much power under the Open Internet Order, including authority over privacy policies, which previously had belonged to the Federal Trade Commission. “The FTC has been our nation's privacy enforcer, and we think [we should] leave that authority with them,” says Rep. Blackburn.

Because the Open Internet Order designated the internet a utility, the FTC could no longer regulate the ISPs, because it lacked authority to regulate “common carriers” — companies providing utility services — as the internet was now defined. However, in late 2017, the Republican-dominated FCC rescinded the Obama-era net neutrality rules and returned regulatory power over privacy issues to the FTC.68

A recent appeals court ruling found that if an ISP provides a common-carrier service such as mobile phone service — which many of them do — the FTC is not allowed to enforce its regulations against them. The case is on appeal.69

The ISPs have pledged to follow the FTC's recommendations on opt-in consent for sensitive information.

The states might have the final word on all this. After the repeal of the FCC's more stringent privacy regulations, legislatures in at least 22 states and the District of Columbia have proposed bills tightening consumer privacy rules. Nevada and Minnesota already require ISPs to get opt-in permission before sharing personal information. And Minnesota requires permission before disclosing data about browsing habits.

The marketplace may also offer some solutions to consumers seeking privacy. “We anticipate the return of ‘pay-for-privacy,’” in which consumers can pay more for internet services that keep their browsing information private, according to Fatemah Kahtibloo, a principal analyst at the market research firm Forrester. She predicted the development of “tiered pricing models that would effectively make privacy a privilege for those who could afford to pay more for these services every month.”70

Surveillance Policy

The debate surrounding privacy rights ramped up after former NSA contractor Edward Snowden leaked classified information about the NSA's global surveillance programs, including previously unknown programs involving Americans. But the only bill that Congress has passed as a result of those revelations was legislation in 2015 to stop the bulk collection of phone records of millions of citizens.

The USA Freedom Act was praised by Snowden and others as the most significant surveillance reform bill since 1978.

But Senate Majority Leader Mitch McConnell, R-Ky., called the act “a resounding victory for those who currently plotted against our homeland…. It does not enhance the privacy protections of American citizens, and it surely undermines American security by taking one more tool from our war fighters, in my view, at exactly the wrong time.”71

Two years later, privacy advocates had hoped to stop the reauthorization of Section 702 of the FISA Amendments Act, due to expire at the end of 2017. Congress had added the section in 2008 to allow warrantless surveillance of suspects and to legalize a post-9/11 secret surveillance program. It included gathering communications between those suspects and Americans, as well as communication among Americans if foreign suspects were mentioned.

Snowden had criticized the surveillance program. “People should be able to pick up the phone and call their family … buy a book online … without wondering how these events are going to look to an agent of the government,” he said in a 2014 TED talk. “More communications are being intercepted in America about Americans than there are in Russia about Russians.”72

Some members of Congress agreed with him. “We are collecting vast amounts of data,” said Rep. Zoe Lofgren, D-Calif., in January on the House floor. “Under [Section] 702 you can search that for Americans for crimes that have nothing to do with terrorism,” she said.73

Those in favor of the program argued that the United States should do all it could to fight terrorism. Section 702 is a “critical national security tool used by our intelligence community,” said Rep. Chris Stewart, R-Utah.74

Data Hacks

Massive data breaches and invasive surveillance technology are accelerating the discussion about the need for better privacy protections. Among other things, security experts and privacy advocates are proposing consumer education, tighter regulation and stronger oversight.

Numerous lawsuits against Equifax accusing the company of negligence are pending after last year's enormous data breach. More than four months passed between the time Equifax failed to install a security patch and the time the issue was resolved.

Among the lawsuits is a national class action suit, filed in Atlanta, that names plaintiffs from every state and the District of Columbia. In addition, 240 individual class-action suits have been filed and numerous investigations are in process, including one by the FTC. Equifax and its attorneys have declined to comment on the litigation.75

According to the national class action lawsuit, thieves may already be using the stolen data. It alleges violations of federal and state laws and includes dozens of complaints indicating that criminals are using the information to make fraudulent credit card charges and apply for loans and mortgages.76

But some criminals bide their time. “Thieves know you may set up fraud alerts so they can wait for a period of time until using the data,” according to Velasquez of the Identity Theft Resource Center. “We hear anecdotally through our call center that victims of the Anthem breach from 2015 are just now contacting us because their information is beginning to be used.”

Anthem, the biggest U.S. health insurance company, agreed to pay $115 million last summer to settle a lawsuit over the hacking of about 79 million people's records in the largest data breach settlement to date.77

Action in Congress

In the wake of massive data breaches, Congress is considering several measures.

Under the Data Security and Breach Notification Act, introduced by three Democratic senators in December, business executives have 30 days to report data breaches or face up to five years in prison. The bill also would require the FTC to establish best practices for businesses to improve the protection of customer data.78

Washington state Attorney General Bob Ferguson announces a multimillion-dollar lawsuit against Uber on Nov. 28, 2017. He says the ride-sharing company broke state law when it failed to notify more than 10,000 drivers in the state that their personal information was accessed as part of a major hack in 2016 that affected 57 million Uber accounts worldwide. Uber concealed the hack for a year. The company acknowledges the problems and says it paid the hackers a $100,000 ransom to delete the data. (AP Photo/Elaine Thompson)

Rep. Johnson of Georgia is backing the Cyber Privacy Fortification Act, which would establish criminal penalties for those who intentionally conceal security breaches. “We must have measures in place that provide accountability to the public when corporations and their executives do the wrong thing and it hurts people,” he says.

Other bills focus on consumer education and the creation of best-practices for businesses and individuals. The FTC would be required to develop cybersecurity resources for consumer education about the Internet of Things under a bill introduced by Sens. Roger Wicker, R-Miss., and Maggie Hassan, D-N.H.79

And under a bill co-sponsored by Sen. Orrin Hatch, R-Utah, and Rep. Anna Eshoo, D-Calif., a “cyber hygiene best practices” list would be developed to help consumers navigate data privacy issues.80

While it was widely thought the growing number of data breaches would spur quick passage of legislation, none has yet passed. One reason, says Johnson, is that Congress “has no appetite for the exercise of regulatory power.”

Regan of George Mason University also sees the Trump administration as a potential roadblock. “With the current administration [in power], I think we're highly unlikely to see any legislation passed,” she says.

During his first year in office, President Trump has been moving aggressively to reduce government regulations, but White House press secretary Sarah Huckabee Sanders said shortly after the Equifax breach that the administration will look at the situation “extensively” to decide whether more rules are needed to protect data.81

Overseas Rules

Meanwhile, under the EU's stringent data privacy laws going into effect in May, businesses must get explicit consent from consumers before using or sharing their data. In addition, if consumers wish to withdraw their consent at any time, the procedure must be clearly explained and easily accomplished.82

The new regulations codify “privacy by design,” in which systems storing data must include privacy protections from inception — not as an afterthought.

The regulations will apply to any business processing the data of someone living in the EU, regardless of where the company itself is located.

Other key changes include:

An organization out of compliance will face fines of up to 4 percent of annual gross revenues or 20 million pounds, whichever is greater.

Businesses must use clear and easily understandable language on forms requesting data. The forms also must include the purposes for which the data will be used.

Organizations must reveal a breach within 72 hours of its discovery.

In a significant shift, EU citizens will have the right to find out whether any of their personal data is being collected, and if so, what and where. In addition, they will be entitled to an electronic copy of the data free of charge.

Microsoft, Facebook and other U.S. companies are preparing for the new regulations because of the compliance costs and the steep fines they could face if they suffer data breaches involving EU citizens. For example, Equifax could have been fined 4 percent of its annual profits, or $124 million, if the EU regulations had been in place in 2017 when its breach occurred.84

China, meanwhile, is expanding its use of facial recognition to build a national surveillance and data-sharing platform. In a test of the far-reaching “Sharp Eyes” program, authorities are alerted if targeted people move more than 330 yards outside of designated areas.

“A system like this is obviously well-suited to controlling people,” Harper of the Competitive Enterprise Institute told Bloomberg Businessweek. “‘Papers, please’ was the symbol of living under tyranny in the past. Now, government officials don't need to ask.”85

“Surveillance technologies are giving the government a sense that it can finally achieve the level of control over people's lives that it aspires to,” said German academic Adrian Zenz.

China's goal is to effectively track its people's locations, activities and associations in order to gauge their trustworthiness and ultimately assign them a “social credit” score, he said. The score could then be used to determine what schools their children attend and whether they could borrow money.86

In the United States, meanwhile, concerns are growing about automated decision-making (based on algorithms) for credit applications and other uses. Consumer reporting companies collect data and provide reports to other companies about consumers. These reports then help companies decide whether to provide people with credit, employment, rental housing, insurance and other things.87

“Lots of online companies are employing algorithms for a whole range of business practices,” says Verdi of the Future of Privacy Forum.

The group said algorithms can discriminate against applicants based on race, gender or health. It urged companies to design algorithms that “ensure proxies are not used for protected classes [under the law] & [that] data does not amplify historical bias.”88

Law enforcement also is using algorithms for such things as deciding where to patrol or who should be offered bail, Verdi says. In New York, Chicago and other cities, for example, police are using algorithms in computerized maps to predict crime trends and deploy resources. Defenders of the practice say the technology has helped reduce the city's crime rate to historic lows.89

The question, Verdi says, is whether “these algorithms are lawful or just discriminatory.”

Personal data that may be shared is becoming even more personal than name and address. Newly popular DNA kits are raising privacy red flags over the danger of companies sharing a person's genetic information with third parties, such as health insurance companies.

Sen. Chuck Schumer, D-N.Y., has asked the FTC to investigate companies such as 23andMe, a personal genomics and biotechnology company, as well as genealogy websites such as Ancestry.com and MyHeritage. 23andMe and Ancestry.com both said they do not sell DNA data without consent. MyHeritage said it has never sold such data to a third party.90

Growing Threats

Privacy advocates and many lawmakers from both political parties agree that danger lies ahead if the United States does not take steps soon to safeguard consumer privacy.

“Data breaches and identity thefts are increasing,” says Rotenberg of the Electronic Privacy Information Center, and “obviously it's out of control.”

“It's hard to build political pressure for the changes,” says Chemerinsky, dean of Berkeley Law. “In order for Congress to respond, it will likely take political pressure.”

“We can't just rely on the courts,” he says. “Some of the most important things that protect privacy come from legislation.”

The danger reaches beyond U.S. borders, says Rotenberg. “Increasingly, we see today that the data is being targeted by foreign adversaries,” he says. “This actually ups the stakes.”

The growing threat will make digital security even more important in the years ahead. “There will be a horrific shortage of qualified cybersecurity professionals” in the coming years, says Adam Levin, founder and chairman CyberScout, which focuses on preventing and dealing with identity theft. He believes the nation will need “a cybersecurity [agency] equivalent to the Consumer Financial Protection Bureau.”

“There has to be a much saner policy on disclosure of discovered vulnerabilities,” he says. “I am worried [that by] 2022, we may have entered the movie ‘Minority Report,’” about a world where people are arrested based on computer projections, before they actually commit crimes.

Despite the growing concerns over privacy, Rotenberg says he is “cautiously optimistic” that solutions can be found. “I don't think you can afford to give up on the future,” he says.

Companies such as Alphabet's Chronicle are emerging to offer businesses better protections against data breaches. And universities are beginning to offer specialties such as Brown University's Executive Master in Cybersecurity program to address a growing need for professionals.

The most oft-cited problem — using Social Security numbers to identify individuals and authenticate their data — has gained national urgency. Of all of the separate identifiers being discussed to replace the Social Security card system — biometrics such as facial recognition or retina scans, encryption, blockchain or two-factor authentication — the solution may be an amalgam of most or all of these options. Combining standard identifiers such as name, address and birth date along with dynamic factors such as biometrics could pull a range of identities into one central — and much more secure — consumer “identity.”91

“There are always going to be risks, and really bad things will happen, but we will muddle through,” says Harper of the Competitive Enterprise Institute. It may take a while, he adds.

In five years, he says, society will be in “about the same place.” But in “15 to 50 years, we will be much better off.” Why? “Because the solution to all of these privacy problems is generational.”

“Society will just get good at figuring this out,” says Harper.

Others are not so optimistic. If society fails to solve its burgeoning privacy issues, “we are going to face some kind of ‘Cybergeddon,’” says Levin. “Self-regulation simply isn't working.”

Pro

Priscilla Regan Professor of Policy and Government, George Mason University; Author, Legislating Privacy: Technology, Social Values, and Public Policy. Written for CQ Researcher, February 2018

Protecting consumer data is not only possible but essential. Despite repeated claims that “privacy is dead,” people value their individual privacy and living in a society that protects privacy. They also want their online data protected and are outraged by data breaches such as those at Equifax (2017), Uber (2016) and Yahoo (2013).

However, the current policy for protecting privacy, based on a 1970s idea of “fairness” and captured under the mantra of “notice and consent,” does not provide the necessary protection. Privacy-consent policies are long, unclear and legalistic — and unrealistically burden the individual who is focused on a transaction or activity. Hence the paradox that people care about privacy but act in ways that compromise it. And state laws provide redress only after a data breach occurs, leave consumers vulnerable to future harms and provide no real consequences for the companies.

As consumers' online and offline lives continue to blend into seamless data streams, protecting consumer data will be critical to innovations such as those promised by the Internet of Things and “big data.” Contrary to popular, but largely untested, beliefs that regulation of cyber activities will stifle online innovation, effective privacy and security regulation is now necessary to foster innovation.

Consumers are becoming more wary and skeptical as media coverage of privacy issues increases. In 2017, a Guardian reporter asked Tinder, a dating app, what information it had about her only to learn it had amassed, in her words, “her deepest, darkest secrets.” This is one of numerous examples ranging from concerns about reported misuse of personal data by many popular online companies to unauthorized surveillance and questionable security by nanny cameras, Alexa and driverless cars.

Effective privacy and security policies that consumers trust will require government regulation to hold companies accountable and render significant consequences for bad actors. Self-regulation by companies has not proven effective, and calls for more rigorous self-regulation are unlikely to improve the situation because real protections are expensive and not necessarily in the company's interest.

Instead, we need requirements for designing privacy and security into online systems; clear standards for appropriate uses of information; outside audits to ensure that personal data are being maintained with security and integrity; and a way for individuals to learn what types of their information are being held and delete irrelevant or outdated details.

Con

Bruce Schneier Security Technologist; Author, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. Written for CQ Researcher, February 2018

Everything online is hackable. This is true for Equifax's data and the federal Office of Personal Management's data, which was hacked in 2015. If information is on a computer connected to the internet, it is vulnerable.

But just because everything is hackable doesn't mean everything will be hacked. The difference between the two is complex, and filled with defensive technologies, security best practices, consumer awareness, the motivation and skill of the hacker and the desirability of the data. The risks will be different if an attacker is a criminal who just wants credit-card details — and doesn't care where he gets them from — or the Chinese military looking for specific data from a specific place.

The proper question isn't whether it's possible to protect consumer data, but whether a particular site protects our data well enough for the benefits provided by that site. And here, again, there are complications.

In most cases, it's impossible for consumers to make informed decisions about whether their data are protected. We have no idea what sorts of security measures Google uses to protect our highly intimate Web search data or our personal emails. We have no idea what sorts of security measures Facebook uses to protect our posts and conversations.

We have a feeling that these big companies do better than smaller ones. But we're also surprised when a lone individual publishes personal data hacked from the infidelity site AshleyMadison.com, or when the North Korean government does the same with personal information in Sony's network.

Think about all the companies collecting personal data about you — the websites you visit, your smartphone and its apps, your internet-connected car — and how little you know about their security practices. Even worse, credit bureaus and data brokers like Equifax collect your personal information without your knowledge or consent.

So while it might be possible for companies to do a better job protecting our data, you as a consumer are in no position to demand such protection.

Government policy is the missing ingredient. We need standards and a method for enforcement. We need liabilities and the ability to sue companies that poorly secure our data. The biggest reason companies don't protect our data online is that it's cheaper not to. Government policy is how we change that.

Virtually all U.S. states recognize a right to privacy in civil suits.

1996

Health Insurance Portability and Accountability Act is the first federal statute to directly regulate the privacy of personal health data…. European Union requires various entities to protect personal information.

Nathan Ruser, a 20-year-old Australian studying security and the Middle East, noticed something strange in late January when he zoomed in on an interactive online map showing two years of activity by runners and walkers wearing Web-connected fitness devices.

A desert area in Syria that normally would have been dark on the map “sort of lit up like a Christmas tree,” Ruser said, leading him to wonder, “Does it show U.S. soldiers?”

Indeed, the Global Heatmap — posted by a GPS tracking company showing fitness device users' activity between 2015 and 2017 — revealed the movements of U.S. soldiers in the Middle East, Afghanistan and elsewhere who were wearing fitness trackers. After news of the security oversight broke, the U.S. military vowed to revise its guidelines on the use of all wireless devices by service members.1

Fitness bands, such as the Fitbit Alta HR, above, and other devices that are part of the Internet of Things can leave their users open to hacking and surreptitious monitoring. (Getty Images/Fitbit/Dave Kotinsky)

Such revelations have raised concerns about the security, and privacy, of devices that are part of the Internet of Things (IoT). The digital innovation connects consumer devices, including lights, refrigerators, DVRs and even toys, to the internet and through it to each other. Based on the rapidly growing popularity of such devices — 127 new ones join the IoT network every second, according to one study — experts predict there will be more than 50 billion IoT devices worldwide by 2020.2

However, many of those devices leave their users wide open to hacking, surreptitious monitoring and other privacy intrusions. A study by privacy advocates found, for example, that nearly one-third of the apps on the top wearable fitness devices lack privacy policies covering how user data will be handled.3

Some toys also pose concerns. U.S. privacy advocates filed a complaint in 2016 with the Federal Trade Commission (FTC) about a microphone-equipped doll named My Friend Cayla. The advocates said the toy, which is able to “talk” to children by establishing wireless internet connections with a third-party voice-recognition software company, is easily hackable and violates child-protection regulations and laws.

“A stranger or potential predator within a 50-foot range can easily establish a Bluetooth connection with the doll, eavesdrop on the child and even converse with the child through the doll,” warned Josh Golin, executive director of the Campaign for a Commercial-Free Childhood, a coalition of educators, health care professionals, parents and others. The group asked Amazon and Walmart to stop selling the doll; both companies have complied, although the doll is still marketed in the United States.4

Germany, where wireless devices with hidden cameras or recorders are illegal, has banned the dolls and directed parents to destroy them. A German university student, Stefan Hessel, had raised legal concerns after he found that an eavesdropper could listen in to the doll's conversations with the child “through several walls.”5

Genesis Toys, the doll's manufacturer, said on its website it “is committed to protecting you and your family's personal information.” And Vivid, a U.K.-based toy distributor that sold the dolls in Germany, said it was determined to comply “with all applicable rules and regulations” and was “working with our German partners to resolve this issue.”6

Advocates of IoT devices say virtual assistants such as Amazon's Alexa and Apple's Siri offer not only convenience but also enormous benefits. “The voice control for Alexa is convenient for me, but if you're blind, Alexa is a game-changer,” says John Verdi, vice president of policy for the Future of Privacy Forum, a think tank that advocates for data privacy.

Meanwhile, so-called smart TVs, or televisions connected to the internet, have come under scrutiny for collecting data on consumers. Vizio, the second-largest manufacturer of smart TVs, was fined $2.2 million by the FTC for collecting and selling data without the knowledge or consent of its TV users. Some of the company's TVs recorded what viewers watched “on a second-by-second basis,” said the complaint. Under the settlement, Vizio neither confirmed nor denied wrongdoing, but company general counsel Jerry Huang pledged Vizio will “get people's consent before collecting and sharing television-viewing information.”7

Most consumers do not realize that their internet-connected devices can be hijacked for use in a major digital attack, such as a 2016 incident that knocked Twitter, Reddit, Netflix and many other sites off the Web. The attackers used millions of unsecured internet-connected webcams, routers and DVRs to create a chain reaction.8

Technology security expert Bruce Schneier says the dangers posed by the IoT are so great that a federal agency should be created to deal with them.

While a data breach may be serious, “the IoT can kill people,” he says. He cites a situation in which hackers take control of self-driving cars, which use wireless internet connections to guide them. “Crashing all the cars in Pittsburgh is a perfectly reasonable attack scenario,” Schneier says.

The trouble began at the end of 2015. Amy Wang, an occupational therapist in Miami, and her husband started receiving credit card approvals and rejections from stores like electronics retailer hhgregg, Walmart and Bloomingdale's. “Every day it was a different card,” she says. Her husband would get on the phone each night and try to tell the companies they had not applied for any cards.

Then the bills began arriving. Macy's and Bloomingdale's said they owed a total of $20,000 for goods the Wangs never bought on cards they did not possess. The couple filed a police report.

“Anything that anyone told us to do, we did,” says Wang.

Amy Wang of Miami and her family experienced a nightmarish breach of their privacy after someone stole their personal data. More than 16.7 million Americans had their identities stolen in 2016, costing them $16.8 billion. (Courtesy Amy Wang)

Then they received a change-of-address confirmation form in the mail in early January 2016. “I just thought it was a mistake,” she says. Wang called the U.S. Postal Service's 800 number listed on the form and explained they had not moved.

She assumed their mail would start arriving again, but it did not. When Wang talked to their letter carrier about it, he told her their mail was still being forwarded and advised her to go to the post office near her house.

There, she was told it would take seven to 10 days to restore her mail service. About two weeks later, when the couple were still not receiving mail, she started calling the Postal Service's district office. “A trickle” of mail finally started to appear around the end of February, nearly two months after they had received the notice.

It was frustrating, she says, because nothing seemed to work. “We felt like we were in some weird sci-fi movie,” says Wang. The Postal Service did not respond to CQ Researcher requests for comment.

The timing of the identity theft was not accidental, says Wang. The thieves got “all of our tax information, our kids' Social Security numbers” on documents mailed to them by the IRS in January.

Like Wang and her family, more than 16.7 million Americans had their identities stolen in 2017, costing them $16.8 billion, up from $15.3 billion stolen from 13.1 million victims in 2015, according to Javelin Strategy & Research, a Pleasanton, Calif.-based financial research group. In 2006, in comparison, the number of victims was 10.6 million.9

Michigan has the highest per capita rate of reported identity theft fraud, followed by Florida and Delaware.10

“It is inevitable that each and every one of us is going to have [our identity] compromised in our lives,” says Adam Levin, founder and chairman of CyberScout, a business focusing on identity theft services.

Levin advises consumers to follow what he calls the three M's:

Minimize the risk of exposure: Reduce the number of credit cards you carry, secure your wireless devices and limit your sharing of personal details on social media.

Manage the damage: Alert the authorities, and freeze your credit if appropriate.11

“Know as quickly as possible that you have a problem, and then have a plan,” he says.

In 2015, credit card companies introduced cards with microchips, making the cards harder to counterfeit. Credit card companies also use text messages and email alerts to notify cardholders when they suspect thieves are using a credit card number in what is known as a “card-not-present” transaction.12

The Postal Service has said it takes several steps to determine whether an address change is legitimate. When a request is made online, a $1 fee must be paid with a credit or debit card. The name and address on the card have to match the name and one of the addresses on the change form. When a change-of-address form is submitted in person, the Postal Service requires “verification,” but on its website it does not define the term.13

The use of microchips in credit cards led many criminals to switch to identity theft and to open new charge accounts in other people's names, according to the Identity Theft Resource Center, a victim's advocacy group. As a result, fraud in which the thief is actually holding a card is declining while fraud involving a card that is not in the thief's physical possession is rising.14

To prevent identity theft, consumers must be armed with better information, says Wang. “Somebody has to be five steps ahead of these guys,” she says. “Otherwise we're going to be eight steps behind.”

Wang says she and her husband had been notified of a data breach and heard of the possibility of another before their troubles began.

But they have no idea whether either had anything to do with the identity theft. The whole experience, they say, was bewildering and frightening. “You don't understand it until it happens to you,” Wang says.

She says the hardest part is that it is not behind them. “They have our information. They have our kids' information.”

“To me, they're just waiting,” says Wang. “They're like sleeper cells. This will never be over for us.”

Articles

Hymson, Paige , “White House Cybersecurity Coordinator Rob Joyce calls Social Security identification system ‘flawed,’” The Washington Post, Oct. 4, 2017, https://tinyurl.com/ycxnwadd. Government agencies have been asked to explore a more secure cryptographic identifier to replace the Social Security number.

Rotenberg, Marc , “Equifax, the Credit Reporting Industry, and What Congress Should Do Next,” Harvard Business Review, Sept. 20, 2017, https://tinyurl.com/y9spbfvg. Congress needs to address fundamental flaws in the use of the Social Security number system and in the credit industry, says the president of the Electronic Privacy Information Center, which studies privacy issues.

Savage, Charlie, Eileen Sullivan and Nicholas Fanidos , “House Extends Surveillance Law, Rejecting New Privacy Safeguards,” The New York Times, Jan. 11, 2018, https://tinyurl.com/yckjajl2. The House voted to continue the National Security Agency's warrantless surveillance program for another six years, despite bipartisan calls for more privacy protections.

Schneier, Bruce , “Click Here to Kill Everyone,” New York Magazine, Jan. 27, 2017, https://tinyurl.com/jztq8yz. A cybersecurity expert argues that the Internet of Things, which connects household and other devices to the internet, is equivalent to a world-size robot that needs to be controlled.

Sorkin, Amy Davidson , “In Carpenter case, Justice Sotomayor tries to picture the smartphone future,” The New Yorker, Nov. 30, 2017, https://tinyurl.com/ydf4fbpk. The author explains the nuances of Carpenter v. United States, which some consider the most significant privacy case in decades, and Supreme Court Justice Sonia Sotomayor's role in the case.

Reports and Studies

Rotenberg, Marc , “Testimony and Statement for the Record, Hearing on Consumer Data Security and Credit Bureaus,” Committee on Banking, Housing and Urban Affairs, U.S. Senate, Oct. 17, 2017, https://tinyurl.com/y7qjaar4. The president of the Electronic Privacy Information Center outlines steps Congress could take to minimize the risk of another major data breach in the wake of the massive Equifax hack.

Schneier, Bruce , “Testimony Before the House Subcommittee on Digital Commerce and Consumer Protection,” U.S. House of Representatives, Nov. 1, 2017, https://tinyurl.com/ybax987q. A noted cybersecurity expert argues that effective regulation of data brokers is vital to protect citizens and national security.

European Union

Khan, Mehreen, and Aliya Ram , “EU warns member states over data protection reforms,” Financial Times, Jan. 24, 2018, https://tinyurl.com/y7mvkced. With its stringent new privacy rules taking effect in May, the European Union (EU) is urging member states to quickly bring their national laws in alignment with the reforms that will give consumers more control over how businesses use their personal data.

Lomas, Natasha , “WTF is GDPR?” Tech Crunch, Jan. 20, 2018, https://tinyurl.com/yabhlll2. The European Union's new privacy rules, the General Data Protection Regulation (GDPR), aim to foster growth in the digital economy by reassuring consumers that their information is safe.

Ram, Aliya, and Hannah Kuchler , “Europe's data rule shake-up: How companies are dealing with it,” Financial Times, Jan. 3, 2018, https://tinyurl.com/y84n5j2q. Companies, including Facebook and the online audio distribution platform SoundCloud, are scrambling to understand the EU's new rules before their implementation in May.

Identity Theft

Adams, R. L. , “Identity Theft Protection: 10 Ways To Secure Your Personal Data,” Forbes, May 5, 2017, https://tinyurl.com/y9wruhnd. An identity theft victim who had his personal information stolen from a GoDaddy account offers tips on how to avoid the same fate.

Dobrin, Isabel , “To Protect Children From Identity Theft, Parents Must Be Proactive,” NPR, Oct. 18, 2017, https://tinyurl.com/yaq6dkhr. The theft of children's Social Security numbers is especially worrisome because their parents may not discover the theft for years since the children will likely not be applying for credit for some time, said an expert at the Federal Trade Commission.

Grant, Kelli B. , “How to protect yourself after the Equifax breach: Assume you're affected,” CNBC, Sept. 8, 2017, https://tinyurl.com/ycd4fhoq. The best way to protect your identity after the 2017 breach at the consumer credit reporting agency Equifax is to assume your information is already out there and to freeze everything, says a personal finance writer.

Internet of Things

“Business Is Embracing Internet Of Things As Most Important Technology, Says New Study,” Forbes, Jan. 16, 2018, https://tinyurl.com/y8r3v4ew. Despite implementation challenges, companies are embracing the Internet of Things (IoT) — personal and household devices that are connected to the internet and transfer data — as the most important emerging technology, according to a survey of more than 500 senior executives.

U.S. Regulations

“South Dakota Senate Panel Approves Data Breach Legislation,” The Associated Press, U.S. World News & Report, Jan. 23, 2018, https://tinyurl.com/y8z8wsk5. Under proposed state legislation, companies would be required to inform South Dakota residents when their personal data has been breached.

Khalil, Fouad , “Europe's privacy law set to change how personal data is handled around the globe,” The Hill, Dec. 27, 2017, https://tinyurl.com/yc82ve6e. Europe's tough new privacy regulations, which will apply to U.S. companies doing business on the Continent, might spur Congress to pass data protection legislation.

Identity Theft Resource Center3625 Ruffin Road, #204, San Diego, CA 92123 888-400-5530 idtheftcenter.org Advocacy group that supports identity theft victims and works to educate the public about how to protect against identity theft, data breaches, scams and frauds.

Ellen Kennerly has worked as a journalist for more than three decades, mostly with the Atlanta Journal-Constitution where she held editing and managerial positions in print and digital. Since then, she worked as professional in residence for the Office of Student Media at Louisiana State University and as an editorial department director for WebMD. She is now a communications consultant in Atlanta.